In June 2025, the Data (Use and Access) Act (DUAA) received Royal Assent. The DUAA introduced several amendments to existing data protection laws, including the UK General Data Protection Regulation 2016 (UK GDPR), the Data Protection Act 2018 (DPA), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
According to the UK Government’s official website, the Act’s provisions are being implemented in stages. Many of the data protection-related changes under Section 5 of the DUAA came into effect in February 2026, approximately six months after Royal Assent.
Key Changes Now in Effect
One of such changes introduced by Article 81 of the DUAA, which modifies the provision of Article 25 of the UK GDPR on data protection by design and by default. This change requires companies providing online services likely to be accessed by children to implement technical and organizational measures to ensure children are well protected.
Further amendments without exhausting the list also in force include:
- Adjustments to purpose limitation provisions.
- The introduction of a new legal basis referred to as “recognised legitimate interests”.
- Changes to cookie rules, allowing certain categories of cookies and similar technologies to be set without prior consent under specific conditions.
Please refer to our August 2025 Newsletter Article for a complete list of the amendments.
Upcoming obligation: Handling of data protection complaints
The final provisions on handling data protection complaints will take effect 12 months after the Royal Assent, meaning June 2026.
What actions should companies take?
In light of these developments, companies should:
- Assess if their services are likely to be accessed by children and implement technical and organizational measures to ensure their protection.
- Establish a complaints procedure that clearly informs data subjects of their right to submit complaints directly to the company and how to do so.
- Design an internal process for handling data protection complaints without undue delay.
- Train staff on managing data protection complaints effectively.
- Clarify company’s role under the UK GDPR and agree with joint controllers and processors on complaint-handling procedures and include it in the DPA.
- Review legal bases for processing and update documents (privacy policies, Records of Processing Activities (ROPA)) when necessary to reflect the DUAA’s requirements.
- Audit the use of cookies and tracking technologies on websites, apps, or products to ensure compliance.
At ePrivacy GmbH, we can support your organization with complying with the changes introduced by the DUAA and keep you abreast of ongoing development in the UK.